From 1b705df95846f7f8811e15d1d0c5bd8df5d054dc Mon Sep 17 00:00:00 2001 From: Justin Baur <19896123+justindbaur@users.noreply.github.com> Date: Fri, 15 Dec 2023 10:53:00 -0500 Subject: [PATCH] [PM-5293] Redis for Grants (#3577) * Add Initial Redis Implementation * Format * Add Key to PersistedGrant * Reference Identity In Microbenchmark Project * Allow Filterable Benchmarks * Use Shorter Key And Cast to RedisKey Once * Add RedisPersistedGrantStore Benchmarks * Run restore * Format * Update ID4 References * Make RedisGrantStore Singleton * Use MessagePack * Use Cached Options * Turn off Compression * Minor Feedback * Add Docs to StorablePersistedGrant * Use existing Identity Redis --------- Co-authored-by: Matt Bishop --- .../RedisPersistedGrantStoreTests.cs | 97 ++++++++++ perf/MicroBenchmarks/MicroBenchmarks.csproj | 1 + perf/MicroBenchmarks/Program.cs | 5 +- src/Identity/Identity.csproj | 1 + .../RedisPersistedGrantStore.cs | 181 ++++++++++++++++++ .../Utilities/ServiceCollectionExtensions.cs | 27 ++- 6 files changed, 308 insertions(+), 4 deletions(-) create mode 100644 perf/MicroBenchmarks/Identity/IdentityServer/RedisPersistedGrantStoreTests.cs create mode 100644 src/Identity/IdentityServer/RedisPersistedGrantStore.cs diff --git a/perf/MicroBenchmarks/Identity/IdentityServer/RedisPersistedGrantStoreTests.cs b/perf/MicroBenchmarks/Identity/IdentityServer/RedisPersistedGrantStoreTests.cs new file mode 100644 index 0000000000..0ca09992f8 --- /dev/null +++ b/perf/MicroBenchmarks/Identity/IdentityServer/RedisPersistedGrantStoreTests.cs @@ -0,0 +1,97 @@ +using BenchmarkDotNet.Attributes; +using Bit.Identity.IdentityServer; +using Bit.Infrastructure.Dapper.Auth.Repositories; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Stores; +using Microsoft.Extensions.Logging.Abstractions; +using StackExchange.Redis; + +namespace Bit.MicroBenchmarks.Identity.IdentityServer; + +[MemoryDiagnoser] +public class RedisPersistedGrantStoreTests +{ + const string SQL = nameof(SQL); + const string Redis = nameof(Redis); + private readonly IPersistedGrantStore _redisGrantStore; + private readonly IPersistedGrantStore _sqlGrantStore; + private readonly PersistedGrant _updateGrant; + + private IPersistedGrantStore _grantStore = null!; + + // 1) "ConsumedTime" + // 2) "" + // 3) "Description" + // 4) "" + // 5) "SubjectId" + // 6) "97f31e32-6e44-407f-b8ba-b04c00f51b41" + // 7) "CreationTime" + // 8) "638350407400000000" + // 9) "Data" + // 10) "{\"CreationTime\":\"2023-11-08T11:45:40Z\",\"Lifetime\":2592001,\"ConsumedTime\":null,\"AccessToken\":{\"AllowedSigningAlgorithms\":[],\"Confirmation\":null,\"Audiences\":[],\"Issuer\":\"http://localhost\",\"CreationTime\":\"2023-11-08T11:45:40Z\",\"Lifetime\":3600,\"Type\":\"access_token\",\"ClientId\":\"web\",\"AccessTokenType\":0,\"Description\":null,\"Claims\":[{\"Type\":\"client_id\",\"Value\":\"web\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"scope\",\"Value\":\"api\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"scope\",\"Value\":\"offline_access\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"sub\",\"Value\":\"97f31e32-6e44-407f-b8ba-b04c00f51b41\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"auth_time\",\"Value\":\"1699443940\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#integer64\"},{\"Type\":\"idp\",\"Value\":\"bitwarden\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"amr\",\"Value\":\"Application\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"premium\",\"Value\":\"false\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#boolean\"},{\"Type\":\"email\",\"Value\":\"jbaur+test@bitwarden.com\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"email_verified\",\"Value\":\"false\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#boolean\"},{\"Type\":\"sstamp\",\"Value\":\"a4f2e0f3-e9f8-4014-b94e-b761d446a34b\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"name\",\"Value\":\"Justin Test\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"orgowner\",\"Value\":\"8ff8fefb-b035-436b-a25c-b04c00e30351\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"accesssecretsmanager\",\"Value\":\"8ff8fefb-b035-436b-a25c-b04c00e30351\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"device\",\"Value\":\"64b49c58-7768-4c30-8396-f851176daca6\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"jti\",\"Value\":\"CE008210A8276DAB966D9C2607533E0C\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"iat\",\"Value\":\"1699443940\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#integer64\"}],\"Version\":4},\"Version\":4}" + // 11) "Type" + // 12) "refresh_token" + // 13) "SessionId" + // 14) "" + // 15) "ClientId" + // 16) "web" + + public RedisPersistedGrantStoreTests() + { + _redisGrantStore = new RedisPersistedGrantStore( + ConnectionMultiplexer.Connect("localhost"), + NullLogger.Instance, + new InMemoryPersistedGrantStore() + ); + + var sqlConnectionString = "YOUR CONNECTION STRING HERE"; + + _sqlGrantStore = new PersistedGrantStore( + new GrantRepository( + sqlConnectionString, + sqlConnectionString + ) + ); + + var creationTime = new DateTime(638350407400000000, DateTimeKind.Utc); + _updateGrant = new PersistedGrant + { + Key = "i11JLqd7PE1yQltB2o5tRpfbMkpDPr+3w0Lc2Hx7kfE=", + ConsumedTime = null, + Description = null, + SubjectId = "97f31e32-6e44-407f-b8ba-b04c00f51b41", + CreationTime = creationTime, + Data = "{\"CreationTime\":\"2023-11-08T11:45:40Z\",\"Lifetime\":2592001,\"ConsumedTime\":null,\"AccessToken\":{\"AllowedSigningAlgorithms\":[],\"Confirmation\":null,\"Audiences\":[],\"Issuer\":\"http://localhost\",\"CreationTime\":\"2023-11-08T11:45:40Z\",\"Lifetime\":3600,\"Type\":\"access_token\",\"ClientId\":\"web\",\"AccessTokenType\":0,\"Description\":null,\"Claims\":[{\"Type\":\"client_id\",\"Value\":\"web\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"scope\",\"Value\":\"api\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"scope\",\"Value\":\"offline_access\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"sub\",\"Value\":\"97f31e32-6e44-407f-b8ba-b04c00f51b41\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"auth_time\",\"Value\":\"1699443940\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#integer64\"},{\"Type\":\"idp\",\"Value\":\"bitwarden\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"amr\",\"Value\":\"Application\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"premium\",\"Value\":\"false\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#boolean\"},{\"Type\":\"email\",\"Value\":\"jbaur+test@bitwarden.com\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"email_verified\",\"Value\":\"false\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#boolean\"},{\"Type\":\"sstamp\",\"Value\":\"a4f2e0f3-e9f8-4014-b94e-b761d446a34b\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"name\",\"Value\":\"Justin Test\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"orgowner\",\"Value\":\"8ff8fefb-b035-436b-a25c-b04c00e30351\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"accesssecretsmanager\",\"Value\":\"8ff8fefb-b035-436b-a25c-b04c00e30351\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"device\",\"Value\":\"64b49c58-7768-4c30-8396-f851176daca6\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"jti\",\"Value\":\"CE008210A8276DAB966D9C2607533E0C\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#string\"},{\"Type\":\"iat\",\"Value\":\"1699443940\",\"ValueType\":\"http://www.w3.org/2001/XMLSchema#integer64\"}],\"Version\":4},\"Version\":4}", + Type = "refresh_token", + SessionId = null, + ClientId = "web", + Expiration = creationTime.AddHours(1), + }; + } + + [Params(Redis, SQL)] + public string StoreType { get; set; } = null!; + + [GlobalSetup] + public void Setup() + { + if (StoreType == Redis) + { + _grantStore = _redisGrantStore; + } + else if (StoreType == SQL) + { + _grantStore = _sqlGrantStore; + } + else + { + throw new InvalidProgramException(); + } + } + + [Benchmark] + public async Task StoreAsync() + { + await _grantStore.StoreAsync(_updateGrant); + } +} diff --git a/perf/MicroBenchmarks/MicroBenchmarks.csproj b/perf/MicroBenchmarks/MicroBenchmarks.csproj index 42ba56d141..7a2bdb02d9 100644 --- a/perf/MicroBenchmarks/MicroBenchmarks.csproj +++ b/perf/MicroBenchmarks/MicroBenchmarks.csproj @@ -13,6 +13,7 @@ + diff --git a/perf/MicroBenchmarks/Program.cs b/perf/MicroBenchmarks/Program.cs index 4112e920d2..b986d99c43 100644 --- a/perf/MicroBenchmarks/Program.cs +++ b/perf/MicroBenchmarks/Program.cs @@ -1,4 +1,3 @@ -using System.Reflection; -using BenchmarkDotNet.Running; +using BenchmarkDotNet.Running; -BenchmarkRunner.Run(Assembly.GetEntryAssembly()); +BenchmarkSwitcher.FromAssembly(typeof(Program).Assembly).Run(args); diff --git a/src/Identity/Identity.csproj b/src/Identity/Identity.csproj index 504227b619..2f40a30e27 100644 --- a/src/Identity/Identity.csproj +++ b/src/Identity/Identity.csproj @@ -13,6 +13,7 @@ + diff --git a/src/Identity/IdentityServer/RedisPersistedGrantStore.cs b/src/Identity/IdentityServer/RedisPersistedGrantStore.cs new file mode 100644 index 0000000000..ee15d69dfb --- /dev/null +++ b/src/Identity/IdentityServer/RedisPersistedGrantStore.cs @@ -0,0 +1,181 @@ +using System.Diagnostics; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Stores; +using MessagePack; +using StackExchange.Redis; + +namespace Bit.Identity.IdentityServer; + +/// +/// A that persists its grants on a Redis DB +/// +/// +/// This store also allows a fallback to another store in the case that a key was not found +/// in the Redis DB or the Redis DB happens to be down. +/// +public class RedisPersistedGrantStore : IPersistedGrantStore +{ + private static readonly MessagePackSerializerOptions _options = MessagePackSerializerOptions.Standard; + private readonly IConnectionMultiplexer _connectionMultiplexer; + private readonly ILogger _logger; + private readonly IPersistedGrantStore _fallbackGrantStore; + + public RedisPersistedGrantStore( + IConnectionMultiplexer connectionMultiplexer, + ILogger logger, + IPersistedGrantStore fallbackGrantStore) + { + _connectionMultiplexer = connectionMultiplexer; + _logger = logger; + _fallbackGrantStore = fallbackGrantStore; + } + + public Task> GetAllAsync(PersistedGrantFilter filter) + { + _logger.LogWarning("Redis does not implement 'GetAllAsync', Skipping."); + return Task.FromResult(Enumerable.Empty()); + } + public async Task GetAsync(string key) + { + try + { + if (!_connectionMultiplexer.IsConnected) + { + // Redis is down, fallback to using SQL table + _logger.LogWarning("This is not connected, using fallback store to execute 'GetAsync' with {Key}.", key); + return await _fallbackGrantStore.GetAsync(key); + } + + var redisKey = CreateRedisKey(key); + + var redisDb = _connectionMultiplexer.GetDatabase(); + var redisValueAndExpiry = await redisDb.StringGetWithExpiryAsync(redisKey); + + if (!redisValueAndExpiry.Value.HasValue) + { + // It wasn't found, there is a chance is was instead stored in the fallback store + _logger.LogWarning("Could not find grant in primary store, using fallback one."); + return await _fallbackGrantStore.GetAsync(key); + } + + Debug.Assert(redisValueAndExpiry.Expiry.HasValue, "Redis entry is expected to have an expiry."); + + var storablePersistedGrant = MessagePackSerializer.Deserialize(redisValueAndExpiry.Value, _options); + + return new PersistedGrant + { + Key = key, + Type = storablePersistedGrant.Type, + SubjectId = storablePersistedGrant.SubjectId, + SessionId = storablePersistedGrant.SessionId, + ClientId = storablePersistedGrant.ClientId, + Description = storablePersistedGrant.Description, + CreationTime = storablePersistedGrant.CreationTime, + ConsumedTime = storablePersistedGrant.ConsumedTime, + Data = storablePersistedGrant.Data, + Expiration = storablePersistedGrant.CreationTime.Add(redisValueAndExpiry.Expiry.Value), + }; + } + catch (Exception ex) + { + _logger.LogWarning(ex, "Failure in 'GetAsync' using primary grant store, falling back."); + return await _fallbackGrantStore.GetAsync(key); + } + } + + public Task RemoveAllAsync(PersistedGrantFilter filter) + { + _logger.LogWarning("This does not implement 'RemoveAllAsync', Skipping."); + return Task.CompletedTask; + } + + // This method is not actually expected to get called and instead redis will just get rid of the expired items + public async Task RemoveAsync(string key) + { + if (!_connectionMultiplexer.IsConnecting) + { + _logger.LogWarning("Redis is not connected, using fallback store to execute 'RemoveAsync', with {Key}", key); + await _fallbackGrantStore.RemoveAsync(key); + } + + var redisDb = _connectionMultiplexer.GetDatabase(); + await redisDb.KeyDeleteAsync(CreateRedisKey(key)); + } + + public async Task StoreAsync(PersistedGrant grant) + { + try + { + if (!_connectionMultiplexer.IsConnected) + { + _logger.LogWarning("Redis is not connected, using fallback store to execute 'StoreAsync', with {Key}", grant.Key); + await _fallbackGrantStore.StoreAsync(grant); + } + + if (!grant.Expiration.HasValue) + { + throw new ArgumentException("A PersistedGrant is always expected to include an expiration time."); + } + + var redisDb = _connectionMultiplexer.GetDatabase(); + + var redisKey = CreateRedisKey(grant.Key); + + var serializedGrant = MessagePackSerializer.Serialize(new StorablePersistedGrant + { + Type = grant.Type, + SubjectId = grant.SubjectId, + SessionId = grant.SessionId, + ClientId = grant.ClientId, + Description = grant.Description, + CreationTime = grant.CreationTime, + ConsumedTime = grant.ConsumedTime, + Data = grant.Data, + }, _options); + + await redisDb.StringSetAsync(redisKey, serializedGrant, grant.Expiration.Value - grant.CreationTime); + } + catch (Exception ex) + { + _logger.LogWarning(ex, "Failure in 'StoreAsync' using primary grant store, falling back."); + await _fallbackGrantStore.StoreAsync(grant); + } + } + + private static RedisKey CreateRedisKey(string key) + { + return $"grant-{key}"; + } + + // This is a slimmer version of PersistedGrant that removes the Key since that will be used as the key in Redis + // it also strips out the ExpirationDate since we use that to store the TTL and read that out when we retrieve the + // object and can use that information to fill in the Expiration property on PersistedGrant + // TODO: .NET 8 Make all properties required + [MessagePackObject] + public class StorablePersistedGrant + { + [Key(0)] + public string Type { get; set; } + + [Key(1)] + public string SubjectId { get; set; } + + [Key(2)] + public string SessionId { get; set; } + + [Key(3)] + public string ClientId { get; set; } + + [Key(4)] + public string Description { get; set; } + + [Key(5)] + public DateTime CreationTime { get; set; } + + [Key(6)] + public DateTime? ConsumedTime { get; set; } + + [Key(7)] + public string Data { get; set; } + } +} diff --git a/src/Identity/Utilities/ServiceCollectionExtensions.cs b/src/Identity/Utilities/ServiceCollectionExtensions.cs index 07a46d1613..07d9ef32d2 100644 --- a/src/Identity/Utilities/ServiceCollectionExtensions.cs +++ b/src/Identity/Utilities/ServiceCollectionExtensions.cs @@ -1,10 +1,12 @@ using Bit.Core.IdentityServer; using Bit.Core.Settings; +using Bit.Core.Utilities; using Bit.Identity.IdentityServer; using Bit.SharedWeb.Utilities; using Duende.IdentityServer.ResponseHandling; using Duende.IdentityServer.Services; using Duende.IdentityServer.Stores; +using StackExchange.Redis; namespace Bit.Identity.Utilities; @@ -45,11 +47,34 @@ public static class ServiceCollectionExtensions .AddCustomTokenRequestValidator() .AddProfileService() .AddResourceOwnerValidator() - .AddPersistedGrantStore() .AddClientStore() .AddIdentityServerCertificate(env, globalSettings) .AddExtensionGrantValidator(); + if (CoreHelpers.SettingHasValue(globalSettings.IdentityServer.RedisConnectionString)) + { + // If we have redis, prefer it + + // Add the original persisted grant store via it's implementation type + // so we can inject it right after. + services.AddSingleton(); + + services.AddSingleton(sp => + { + return new RedisPersistedGrantStore( + // TODO: .NET 8 create a keyed service for this connection multiplexer and even PersistedGrantStore + ConnectionMultiplexer.Connect(globalSettings.IdentityServer.RedisConnectionString), + sp.GetRequiredService>(), + sp.GetRequiredService() // Fallback grant store + ); + }); + } + else + { + // Use the original grant store + identityServerBuilder.AddPersistedGrantStore(); + } + services.AddTransient(); return identityServerBuilder; }